Appendix: What Are Security Policy Anomalies?
As we know, a security policy consists of matching conditions and actions. To analyze security policy anomalies, first analyze the relation between matching conditions and then check whether actions are the same. Assume that Policy 1 and Policy 2 are configured, and Policy 1 is prior to Policy 2. Table 1 Analysis of security policy anomalies describes security policy anomalies.
Matching Conditions Relation |
Action |
Anomaly Analysis |
|---|---|---|
Policy 1 includes Policy 2. |
Same |
A redundancy anomaly occurs, and Policy 2 can never be matched. Delete Policy 2. |
Different |
A shadow anomaly occurs, and Policy 2 can never be matched. Analyze the necessity of Policy 2 based on service requirements. Delete Policy 2 or move Policy 2 prior to Policy 1. |
|
Policy 2 includes Policy 1. |
Same |
A redundancy anomaly occurs, and Policy 1 is redundant. Delete Policy 1. |
Different |
A generalization anomaly occurs. Analyze the necessity of Policy 1 based on service requirements to determine whether to delete Policy 1 or retain the current status. |
|
Policy 1 and Policy 2 contain intersecting matching conditions. |
Same |
A redundancy anomaly occurs, and the intersecting matching conditions are redundant. Combine Policy 1 with Policy 2. |
Different |
A correlation anomaly occurs. Traffic that matches the intersecting matching conditions are processed based on the action defined in Policy 1. Analyze the intersecting matching conditions of Policy 1 and Policy 2 based on service requirements, determine an applicable security policy, and tune the configuration. |
|
Policy 1 and Policy 2 are irrelevant to each other. |
Same |
No anomaly occurs, and no processing is required. |
Different |
No anomaly occurs, and no processing is required. |
Shadow Anomaly
A shadow anomaly occurs if Policy 1 contain matching conditions in Policy 2 and the actions in the two policies are different. All packets that may match Policy 2 have matched Policy 1. Therefore, Policy 2 will never be matched and becomes a shadowed policy.
Example:
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Policy 1 |
trust |
dmz |
10.1.1.1-10.1.1.100 |
10.2.1.1-10.2.1.10 |
telnet ftp |
permit |
102 |
Policy 2 |
trust |
dmz |
10.1.1.10 |
10.2.1.10 |
telnet |
deny |
Check whether Policy 2 is appropriate based on service requirements (whether packets that meet conditions should be blocked). If Policy 2 is appropriate, move Policy 2 prior to Policy 1. Otherwise, delete Policy 2.
If Policy 1 and Policy 2 contain the same matching conditions, delete either Policy 1 or Policy 2 based on service requirements.
Correlation Anomaly
If Policy 1 contains some matching conditions defined in Policy 2 and Policy 2 also contains some matching conditions defined in Policy 1, the two security policies have an intersection relation. In this case, if their actions are different, a correlation anomaly occurs. Determine an action (permit/deny) for packets matching the intersecting matching conditions of two security policies based on service requirements.
Example:
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Policy 1 |
trust |
dmz |
10.1.1.10 |
10.2.1.1-10.2.1.10 |
telnet |
deny |
102 |
Policy 2 |
trust |
dmz |
10.1.1.1-10.1.1.10 |
10.2.1.1 |
telnet |
permit |
In the preceding example, Telnet service packets from 10.1.1.10 to 10.2.1.1 match Policy 1 and are blocked. If the order of the two security policies is reversed, the preceding service packets are permitted. You are advised to adjust the matching conditions of the two security policies to remove the correlation.
If the Telnet service packets need to be blocked, policy settings are as follows.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Policy 1 |
trust |
dmz |
10.1.1.10 |
10.2.1.1-10.2.1.10 |
telnet |
deny |
102 |
Policy 2 |
trust |
dmz |
10.1.1.1-10.1.1.9 |
10.2.1.1 |
telnet |
permit |
If the preceding Telnet service packets need to be permitted, policy settings are as follows.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Policy 1 |
trust |
dmz |
10.1.1.10 |
10.2.1.2-10.2.1.10 |
telnet |
deny |
102 |
Policy 2 |
trust |
dmz |
10.1.1.1-10.1.1.10 |
10.2.1.1 |
telnet |
permit |
Redundancy Anomaly
If the matching conditions of the two security policies fully or partially overlap (inclusive or intersecting) and the actions are the same, a redundancy anomaly occurs. Redundancy anomalies do not affect the security policy matching result, but increase the length of a security policy list, adversely affecting the matching speed and firewall performance. In addition, the redundancy policies increase management complexity.
Example:
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Policy 1 |
trust |
dmz |
10.1.1.1-10.1.1.100 |
10.2.1.1-10.2.1.10 |
telnet ftp |
permit |
102 |
Policy 2 |
trust |
dmz |
10.1.1.1-10.1.1.100 |
10.2.1.10 |
telnet |
permit |
As shown in the preceding example, if Policy 1 contains matching conditions defined in Policy 2, Policy 2 is redundant and can be deleted. If Policy 2 contains matching conditions defined in Policy 1, delete Policy 1.
If the matching conditions in Policy 1 and Policy 2 are the same, delete either Policy 1 or Policy 2.
If some matching conditions in Policy 1 and Policy 2 intersect, delete the intersecting matching conditions from any policy or combine the two policies.
Generalization Anomaly
If matching conditions in Policy 1 are included in Policy 2, Policy 2 is inclusive of Policy 1. If their actions are different, a generalization anomaly occurs. A shadow anomaly occurs if the two security policies are interchanged so that they are in a reverse order.
Example:
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Policy 1 |
trust |
dmz |
10.1.1.10 |
10.2.1.10 |
telnet |
deny |
102 |
Policy 2 |
trust |
dmz |
10.1.1.1-10.1.1.100 |
10.2.1.1-10.2.1.10 |
telnet ftp |
permit |
A specific exception policy is usually inserted prior to a security policy. As such, a generalization anomaly may be a normal case. In this case, analyze whether Policy 1 is an appropriate exception of Policy 2 based on service requirements.